GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-19 12:28:02 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\00000067 ST932032 rev.0002 Running: noyvvruw.exe; Driver: C:\Users\Marcin\AppData\Local\Temp\kwxdrpoc.sys ---- System - GMER 1.0.15 ---- SSDT 922C8826 ZwCreateSection SSDT 922C8830 ZwRequestWaitReplyPort SSDT 922C882B ZwSetContextThread SSDT 922C8835 ZwSetSecurityObject SSDT 922C883A ZwSystemDebugControl SSDT 922C87C7 ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 830413D9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8307AD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 83081EEC 4 Bytes [26, 88, 2C, 92] {MOV ES:[EDX+EDX*4], CH} .text ntkrnlpa.exe!KeRemoveQueueEx + 1553 83082248 4 Bytes [30, 88, 2C, 92] .text ntkrnlpa.exe!KeRemoveQueueEx + 1597 8308228C 4 Bytes [2B, 88, 2C, 92] .text ntkrnlpa.exe!KeRemoveQueueEx + 1613 83082308 4 Bytes [35, 88, 2C, 92] .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 8308235C 4 Bytes [3A, 88, 2C, 92] .text ... ? System32\Drivers\sprf.sys System nie może odnaleźć określonej ścieżki. ! .text netbt.sys!?OnDirectoryW@@YGIE_NPAD&U 91CB2000 47 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] .text netbt.sys!?OnDirectoryW@@YGIE_NPAD&U + 30 91CB2030 10 Bytes [EB, 75, 3C, 02, 72, 08, 56, ...] .text netbt.sys!?OnDirectoryW@@YGIE_NPAD&U + 3B 91CB203B 65 Bytes [00, EB, E8, FE, C0, 8A, D3, ...] .text netbt.sys!?OnDirectoryW@@YGIE_NPAD&U + 7D 91CB207D 10 Bytes [56, 74, 17, 3C, 02, 74, 17, ...] .text netbt.sys!?OnDirectoryW@@YGIE_NPAD&U + 89 91CB2089 131 Bytes [FF, 76, 10, 83, C6, 38, 56, ...] .text ... .text netbt.sys!?InstallListExA@@YGPAJDGJG&U + 2 91CB2AFC 16 Bytes [55, 08, 8B, 0A, 85, C9, 74, ...] .text netbt.sys!?IsConfigNew@@YGDPAMGN&U + 9 91CB2B0D 28 Bytes [89, 41, 04, 81, 7A, 08, 00, ...] .text netbt.sys!?CancelDirectoryExA@@YGJMFPADPAH&U + 8 91CB2B2A 1 Byte [04] .text netbt.sys!?CancelDirectoryExA@@YGJMFPADPAH&U + 8 91CB2B2A 141 Bytes [04, 00, 90, 90, 90, 90, 90, ...] .text netbt.sys!?GenerateMutantEx@@YGPAXHPAI&U 91CB2BB8 9 Bytes [00, CF, FA, 75, 4A, B8, 04, ...] .text netbt.sys!?EnumMessageW@@YGPAHGKHF&U 91CB2BC2 161 Bytes [66, 39, 46, 5A, 75, 0B, 8B, ...] .text netbt.sys!?InvalidateMutantA@@YGXPADKD&U + 48 91CB2C64 133 Bytes [72, 08, 29, 05, 10, 2D, CD, ...] .text netbt.sys!?InvalidateMutantA@@YGXPADKD&U + CE 91CB2CEA 133 Bytes [74, 32, 8B, 46, 24, 3B, C3, ...] .text netbt.sys!?InvalidateMutantA@@YGXPADKD&U + 154 91CB2D70 51 Bytes [FF, 08, 8D, 86, F0, 00, 00, ...] .text netbt.sys!?InvalidateMutantA@@YGXPADKD&U + 188 91CB2DA4 99 Bytes [66, 01, 05, 2A, 2E, CD, 91, ...] .text netbt.sys!?InvalidateMutantA@@YGXPADKD&U + 1EC 91CB2E08 93 Bytes [74, 1A, 6A, 01, 6A, 02, 57, ...] .text ... .text netbt.sys!?RtlSectionW@@YGJHPAN&U + 36 91CB3222 121 Bytes [18, 8B, C6, EB, D9, 90, 90, ...] .text netbt.sys!?RtlSectionW@@YGJHPAN&U + B0 91CB329C 478 Bytes [00, 83, C2, 0B, 89, 50, 10, ...] .text netbt.sys!?RtlSectionW@@YGJHPAN&U + 28F 91CB347B 69 Bytes [85, C0, 7C, 1B, F7, 45, 0C, ...] .text netbt.sys!?RtlSectionW@@YGJHPAN&U + 2D5 91CB34C1 555 Bytes [B8, 0D, 00, 00, C0, EB, 3B, ...] .text netbt.sys!?RtlSectionW@@YGJHPAN&U + 501 91CB36ED 5 Bytes [00, 8B, CF, 8B, D8] .text ... .text netbt.sys!?CallNameExW@@YGPAXJPAI&U + C 91CB49EE 4 Bytes [80, 8C, 00, 00] .text netbt.sys!?CallNameExW@@YGPAXJPAI&U + 11 91CB49F3 1077 Bytes [EB, 02, 33, C0, 83, B9, 10, ...] .text netbt.sys!?CallNameExW@@YGPAXJPAI&U + 447 91CB4E29 27 Bytes CALL 91CD32A4 \SystemRoot\System32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation) .text netbt.sys!?CallNameExW@@YGPAXJPAI&U + 463 91CB4E45 65 Bytes [74, 25, 80, 78, 1D, 04, 72, ...] .text netbt.sys!?CallNameExW@@YGPAXJPAI&U + 4A5 91CB4E87 676 Bytes [91, 3D, 00, 20, CD, 91, 74, ...] .text ... .text C:\Windows\System32\DRIVERS\netbt.sys section is writeable [0x91CB2000, 0xA776, 0xE8000020] ? C:\Windows\System32\DRIVERS\netbt.sys suspicious PE modification .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9283D000, 0x37D761, 0xE8000020] .text USBPORT.SYS!DllUnload 93872DB9 5 Bytes JMP 871511D8 ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\svchost.exe[972] ntdll.dll!NtProtectVirtualMemory 770F5F18 5 Bytes JMP 006D000A .text C:\Windows\system32\svchost.exe[972] ntdll.dll!NtWriteVirtualMemory 770F6A98 5 Bytes JMP 0074000A .text C:\Windows\system32\svchost.exe[972] ntdll.dll!KiUserExceptionDispatcher 770F6FE8 5 Bytes JMP 0067000A ? C:\Windows\system32\svchost.exe[972] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; .text C:\Program Files\Mozilla Firefox\firefox.exe[3844] ntdll.dll!LdrLoadDll 7711223E 5 Bytes JMP 5F9E5B60 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8C007042] \SystemRoot\System32\Drivers\sprf.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8C0076D6] \SystemRoot\System32\Drivers\sprf.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8C007800] \SystemRoot\System32\Drivers\sprf.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8C00713E] \SystemRoot\System32\Drivers\sprf.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 83EC8B55 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 458D74EC IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgPrintEx] 15FF50F8 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] [013CF014] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClose] 01FC7531 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] 458DF875 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenFile] 15FF508C IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] [013CF004] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] 458D086A IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 458D50F8 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] 15FF508C IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] [013CF000] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 508C458D IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!_alldiv] F00815FF IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 458B013C IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!_allmul] E84533E4 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtFlushKey] 33EC4533 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] C3C9F045 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 8BEC8B55 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateKey] EC833040 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareMemory] 57565314 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeviceIoControlFile] D98B388B IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] EB04708D IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] 46B70F20 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] 30448D1A IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] F0F0681C IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] 4F50013C IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] 00DCAFE8 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] 85595900 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] 811374C0 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] 00011CC6 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] [75FF8500] C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateFile] 5FC033DC IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenKey] C2C95B5E IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 468B0008 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventWrite] F4458908 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] 8B0C468B IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 45890473 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] 74F685F0 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] D8BB8D77 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] 57000000 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] 3D015068 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 8D426A01 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 4E50FC45 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] F0E015FF IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtReadFile] C085013C IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!_chkstk] 458D537C IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] 046A50EC IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] 50F8458D IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] [75FF096A] C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] DC15FFFC IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] 85013CF0 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!_stricmp] 8B317CC0 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!qsort] 452BF845 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlRandomEx] F0453BF4 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] 006A2673 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] FFFC75FF IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] 3CF0D415 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!memcpy] 7CC08501 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsicmp] 0C4D8B17 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 1F8B018B IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!iswspace] 8908558B IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] 5F8BC21C IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindSetBits] C25C8904 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInterlockedSetBitRun] 01894004 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTestBit] FFFC75FF IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] 3CF0D815 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] 40C78301 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 8F75F685 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] E940C033 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] FFFFFF67 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLengthSid] 51EC8B55 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetAce] 0173A051 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 5653013D IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] C0BE0F57 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 7D89FF33 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] DC2AE8F8 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] DC8B0000 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSerializeBoot] 45C7F633 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!memset] 001000FC IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] FC458B00 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSection] 0F73F83B IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 11E8C72B IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 8B0000DC IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtResumeThread] 2BC38BF4 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 8DF88BC6 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] 5750FC45 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] FF056A56 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] 3CF0D015 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 00043D01 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDisplayString] D574C000 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWriteFile] 047DC085 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsupr] 60EBC033 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] F003C033 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 468D016A IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!TpReleaseWork] 18685038 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!TpPostWork] FF013CF1 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocWork] 3CF0CC15 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetEvent] [75C08401] C:\Windows\system32\MSCTF.dll (Biblioteka DLL serwera MSCTF/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 85068B08 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] EBE375C0 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenEvent] 68006A3C IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetBits] 00040000 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] F07415FF IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] F88B013C IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] 2974FF85 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] FF016A57 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] 15FF4476 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] [013CF020] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] 127CC085 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 8B0C75FF IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] 0875FFCE IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] 81E8C78B IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 89FFFFFE IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] FF57F845 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] 3CF02415 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!TpSetPoolMinThreads] F8458B01 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] 5FEC658D IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] C2C95B5E IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtConnectPort] 8B550008 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] 3CEC81EC IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 56000002 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] E856F08B IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] 0000DB36 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] 00803D59 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] 870F0000 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] 000000AC IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] 0F2E3E80 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] 0000A384 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateEvent] 858D5600 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] FFFFFDC8 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearBits] 3CF12068 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] 15FF5001 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClearEvent] [013CF02C] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] FDC8858D IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] 2E6AFFFF IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] DB06E850 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeSid] C4830000 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] 74C08514 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] 66C9337B IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocAlpcCompletion] C0830889 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocPool] F1906802 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] E850013C IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventRegister] 0000DAF2 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] C0855959 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] 858D6275 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDelayExecution] FFFFFDC8 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] CC758D50 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryEvent] 000DFFE8 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] 19685000 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] 8D000200 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] FF50FC45 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!wcstoul] 3CF03815 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsnicmp] 7CC08501 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] EC458D3F IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnwind] 50106A50 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] 2868026A IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] FF013CF2 IAT C:\Windows\system32\svchost.exe[972] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] F633FC75 IAT C:\Windows\Explorer.EXE[1892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73E52437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73E35600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73E356BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73E524B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73E48514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73E44CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73E4506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73E45144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73E46671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73E4826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73E487BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73E4901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73E4E1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73E44BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2488] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7517FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2488] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7517FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2488] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7517FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2488] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7517FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2488] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [7517FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2488] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7517FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3872] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7517FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3872] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7517FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3872] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7517FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3872] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7517FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 85D801F8 Device \FileSystem\fastfat \FatCdrom 8B3FB1F8 Device \Driver\volmgr \Device\VolMgrControl 85D7A1F8 Device \Driver\usbohci \Device\USBPDO-0 871521F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{8E07C906-D0D5-484C-87A6-9CE3430E1AC2} 86F3D1F8 Device \Driver\usbohci \Device\USBPDO-1 871521F8 Device \Driver\usbehci \Device\USBPDO-2 871531F8 Device \Driver\usbohci \Device\USBPDO-3 871521F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{6F57BC09-FA37-4880-BF30-2D5AE00EFEE2} 86F3D1F8 Device \Driver\usbehci \Device\USBPDO-4 871531F8 Device \Driver\usbohci \Device\USBPDO-5 871521F8 Device \Driver\ACPI_HAL \Device\00000057 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume1 85D7A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume2 85D7A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 86F601F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{71E9711A-F0D3-45A1-9515-9BECBA08A857} 86F3D1F8 Device \Driver\volmgr \Device\HarddiskVolume3 85D7A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\amdsata \Device\00000067 85D7E1F8 Device \Driver\amdsata \Device\00000068 85D7E1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 86F3D1F8 Device \Driver\amdsata \Device\RaidPort0 85D7E1F8 Device \Driver\usbohci \Device\USBFDO-0 871521F8 Device \Driver\usbohci \Device\USBFDO-1 871521F8 Device \Driver\usbehci \Device\USBFDO-2 871531F8 Device \Driver\usbohci \Device\USBFDO-3 871521F8 Device \Driver\usbehci \Device\USBFDO-4 871531F8 Device \Driver\usbohci \Device\USBFDO-5 871521F8 Device \FileSystem\fastfat \Fat 8B3FB1F8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) 91C98000-91CB1000 (102400 bytes) ---- Processes - GMER 1.0.15 ---- Process C:\Windows\System32\ping.exe (*** hidden *** ) 3860 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x26 0xAD 0x31 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x26 0xAD 0x31 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x27 0xEE 0xB3 0x2C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2D 0xD3 0x9E 0x04 ... Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers@AliveServerCount 3 ---- Files - GMER 1.0.15 ---- File C:\Windows\$NtUninstallKB34655$\195809264 0 bytes File C:\Windows\$NtUninstallKB34655$\558474774 0 bytes File C:\Windows\$NtUninstallKB34655$\558474774\@ 2048 bytes File C:\Windows\$NtUninstallKB34655$\558474774\cfg.ini 316 bytes File C:\Windows\$NtUninstallKB34655$\558474774\Desktop.ini 4608 bytes File C:\Windows\$NtUninstallKB34655$\558474774\L 0 bytes File C:\Windows\$NtUninstallKB34655$\558474774\L\xadqgnnk 187904 bytes File C:\Windows\$NtUninstallKB34655$\558474774\twl.dll 223744 bytes File C:\Windows\$NtUninstallKB34655$\558474774\U 0 bytes File C:\Windows\$NtUninstallKB34655$\558474774\U\00000001.@ 2048 bytes File C:\Windows\$NtUninstallKB34655$\558474774\U\00000002.@ 224768 bytes File C:\Windows\$NtUninstallKB34655$\558474774\U\00000004.@ 1024 bytes File C:\Windows\$NtUninstallKB34655$\558474774\U\80000000.@ 66560 bytes File C:\Windows\$NtUninstallKB34655$\558474774\U\80000004.@ 12800 bytes File C:\Windows\$NtUninstallKB34655$\558474774\U\80000032.@ 96256 bytes File C:\Windows\$NtUninstallKB34655$\558474774\version 868 bytes ---- EOF - GMER 1.0.15 ----